[openssl-project] Reuse of PSKs between TLSv1.2 and TLSv1.3

[Matt Caswell]

On 08/08/18 11:28, Matt Caswell wrote:
> For the full background to this issue see:
> 
> https://github.com/openssl/openssl/issues/6490
> 
> TL;DR summary:
> 
> The TLSv1.2 and TLSv1.3 PSK mechanisms are quite different to each
> other. OpenSSL (along with at least GnuTLS maybe others) has implemented
> an upgrade path which enables the reuse of a TLSv1.2 PSK in TLSv1.3.
> This is not prohibited by the spec. David Benjamin has raised concerns
> about this due to key separation. Everything else in TLSv1.3 is provably
> secure - but this is not. The spec has been updated to add some words of
> warning about this.
> 
> 
> There seems to be two schools of thought on what to do about this:
> 
> 1) We should seek to avoid this risk. As a fix we should disable TLSv1.3
> if TLSv1.2 PSKs have been configured. We expect that at some later time
> the IETF will come up with a better answer and when that happens we can
> implement it then. A PR to do the removal is here:
> https://github.com/openssl/openssl/pull/6836
> 
> 2) This is a theoretical risk - there might not actually be a problem at
> all, its just that we can't prove it. OTOH not upgrading to TLSv1.3 is
> definitely a bad thing, so we should just leave things as they are and
> accept the theoretical risk.
> 
> 
> I'll admit that I've been flip-flopping between the two approaches to
> this and there doesn't seem to be a clear consensus forming. How should
> we take this forward? Does it require an OMC vote?

Ok...no discussion...

I think perhaps a vote is the only way forward then. Does this vote text
seem reasonable?

"We should remove the TLSv1.2 to TLSv1.3 PSK compatibility mechanism as
discussed in issue 6490. If TLSv1.2 PSKs are configured (and not TLSv1.3
PSKs) then we should disable TLSv1.3."

If the vote fails then we will, by default, stick with the status quo
(which is effectively option 2). If it passes then that is option 1.

Matt